Sometimes, seeing several permutations of a famous company’s domain names is not just a mere coincidence. Often, these are typosquatting attempts. They are not merely a nuisance, either, because clicking such a URL can have severe effects.

Take the cases of several major companies like Netflix, Paypal, Samsung, and LinkedIn, among others. In a typosquatting campaign, cyber attackers created “.om” domains that mimicked those of popular brands so that people who mistakenly type ”.om” instead of “.com” would end up visiting the bogus sites.

Typosquatting is a known cybercriminal tactic to trick victims into visiting malicious pages. It is a tried-and-tested technique that can pose perils to both the spoofed business and its customers, including:

• Information loss: Threat actors use this tactic to harvest users’ account credentials and other personally identifiable information (PII).
• Brand damage: When fake domains impersonate your brand, your customers or potential clients can end up redirected to malicious pages. If that happens, they may lose faith in your brand as a result of the negative experience and even hold you responsible for not anticipating the attack.

The Curious Case of “Apple Support” Pages

Having a huge following can be both a blessing and a curse. While more users mean more profits, it also translates to more potential cybercrime victims.

Apple is one example of a company with a huge “cult” following. In 2019, it had 1 billion active iPhone, iPad, and Mac users. And so it’s not surprising that threat actors may wish to spoof its domains. We found four domains from our typosquatting tool that seem to be spoofing its official support page:

• appleidsupporta[.]info
• appleidsupporta[.]org
• appleidsupports[.]org
• appleidsupports[.]info

We know that not all look-alike domains are malicious. Some companies buy misspelled variants of their domains as a countermeasure against typosquatting. And they also use country-code TLDs (ccTLDs) and the new gTLDs for product releases or local sites.

Organizations that want to invest in domains with up and coming gTLDs or protect their brands against abusers can continuously check for available names using a tool such as Domain Availability Check. They can also use Brand Monitor to spot potential brand abusers.

We also know, though, that a lot of typosquatted domains figure in phishing campaigns. And if Apple does not own any of the domains we found, then it may be best to stay away from them.

And so we dug deeper. First, we ran each domain on WHOIS API to see who their owners were. Here’s what we found:

• All of the domains were newly created, that is, in November 2019.
• All of them are privately registered, most likely by the same individual or entity, given the consistency in the WHOIS data on their records.

While those details are not proof of foul play, we also know that should Apple Support email users, it is likely to use an address with the domain support[.]apple[.]com. We also took a look at the WHOIS record of its official support domain and found that:

• It has been up for 12,012 days (around 33 years) and not a mere month and a half like its look-alikes.

• It is not privately registered, unlike its look-alikes. And it uses a different registrar and is hosted in the U.S. and not Canada.

If Apple registered the four domains, their records would likely show the same details as that of the real support page. While we can’t say for sure what the domain owner’s motives are, it may be a good idea not to interact with anyone who uses the appleidsupporta[.]info, appleidsupporta[.]org, appleidsupports[.]org, and appleidsupports[.]info domains, especially if that message sender is asking you to divulge personal information.

* * *

When faced with a suspicious-looking domain, merely relying on age-old tactics of making sure a URL is preceded by HTTPS or the presence of a company’s logo or brand in the domain name is no longer enough. Typosquatted domains can very closely mimic those of the popular organizations they are spoofing. These days, using tools such as WHOIS API that can’t be fooled by minor changes in spelling may be required.